"In Windows 8, IE10 sends a 'Do Not Track' signal to websites by default. Consumers can change this default setting if they choose. This decision reflects our commitment to providing Windows customers an experience that is 'private by default' in an era when so much user data is collected online," said Dean Hachamovitch, Microsoft's corporate VP for Internet Explorer, in a blog post.

"IE10 is the first browser to send a 'Do Not Track' (DNT) signal by default," he said. "While some people will say that this change is too much and others that it is not enough, we think it is progress and that consumers will favor products designed with their privacy in mind over products that are designed primarily to gather their data," he said.

The Do Not Track initiative--backed by the likes of Google, Microsoft, Twitter, and Yahoo, as well as the Digital Advertising Alliance (DAA)--is a self-regulatory framework hammered out by technology businesses, privacy and civil rights groups, and advertisers. DNT is designed to give consumers a browser button that they can click to signal to advertisers that they don't want their personal information to be tracked. While the initiative isn't--at least so far--backed by law, the White House made it a cornerstone of the Consumer Privacy Bill of Rights that it announced earlier this year.

But the Association of National Advertisers (ANA), a media and marketing trade association, quickly condemned Microsoft's enabling of DNT by default, saying it would "harm marketers' effectiveness and productivity," increase marketing costs, and lead to an increase in "untargeted, irrelevant online advertising."

"Microsoft's decision, made without industry discussion or consensus, undercuts years of tireless, collaborative efforts across the business community--efforts that were recently heralded by the White House and Federal Trade Commission as an effective way to educate consumers and address their concerns regarding data collection, targeted advertising, and privacy," said Bob Liodice, ANA president and CEO, in a statement. "We reject efforts by any provider or other group to unilaterally impose choices on the consumer in this critical area of the economy."

"On behalf of the ANA's more than 450 members and in conjunction with our sister associations that founded the DAA, we request that Microsoft reconfigure IE 10, which is now in preview mode, to contain a default 'off' browser setting for its 'Do Not Track' function in accordance with the DAA's Self-Regulatory Program," Liodice said.

Likewise, Randall Rothenberg, president and CEO of the Interactive Advertising Bureau (IAB), said in a statement that enabling Do Not Track by default "represents a step backwards in consumer choice, and we fear it will harm many of the businesses, particularly publishers, that fuel so much of the rich content on the Internet."

"We do not believe that default settings that automatically make choices for consumers increase transparency or consumer choice, nor do they factor in the need for digital businesses to innovate and thrive economically," he said. "Actions such as these will undermine the success of our industry's self-regulatory program."

The advertising industry's stated bid to empower users drew a fast response from privacy experts. "After years of tracking users without their knowledge or consent, ad industry suddenly favors a [user's] 'right to choose,'" tweeted security and privacy researcher Christopher Soghoian, further saying that "the 'right to choose' that the ad industry favors is the right to enable Do Not Track (as they want it off by default)."

Advertisers had long advocated that the industry should be allowed to self-regulate. But in late 2010, the Federal Trade Commission released a report warning that "more advanced technologies were enabling 'rapid data collection and sharing that is often invisible to consumers,'" while online privacy policies made it unclear how consumers could protect themselves. In short, the FTC declared that the self-regulatory approach to online consumer privacy had failed.

The FTC's related call for a new, consumed-focused online privacy framework was followed by revelations over supercookies used by some advertisers, which people couldn't detect or block from their browsers, and which enabled persistent tracking across websites. That led to calls by Congress for the FTC to take a closer look at the practices of online advertisers. Before long, such organizations came to the table with browser makers, as well as privacy and consumer rights groups, to begin hammering out the Do Not Track initiative.

Microsoft's move to make Do Not Track enabled by default will now also put Mozilla and Google's approach to DNT in the spotlight. "Mozilla continues to argue Do Not Track choice should be made by users. Microsoft has put them in a very tight spot," tweeted Soghoian.

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.